The competition regulator wants fintechs receiving bank data under the government's data porting regime to face tough penalties if they fail to meet stricter privacy standards that will be introduced to protect customers.

Releasing a framework for rules to govern the new "consumer data right" (CDR) – which will begin with bank data and then be extended to telecommunications and utilities – the Australian Competition and Consumer Commission said its accreditation regime would require data recipients to be "fit and proper", have "effective" risk systems to protect information and privacy, and to take out insurance to cover potential data breaches.

Suggesting it will adopt a tougher approach towards open banking than regulators in the UK, where under a similar regime data has been flowing freely into lower quality fintechs, the ACCC said companies that fail to comply with accreditation standards could be hit with litigation.

"The ACCC's current position is that rules imposing obligations on data holders or accredited data recipients will be specified to be civil penalty provisions," the regulator said on Wednesday.

The ACCC said it would not allow banks to change fees for providing account data and may force them to provide data to former customers.
Sasha Woolley

Leakage a 'flaw'

Related Quotes

However, the ACCC has also left open the potential for banking data to be used outside the regulated system.

It said it planned to allow customers to send banking data to non-accredited parties – which the legislation provides for – so long as it first goes through an accredited recipient, who must warn the customer that if they share it more broadly (for example, with their accountant or a mortgage broker), they will lose the regime's protections.

Consumer groups say this could be dangerous. "This is a fundamental flaw to the legislation and needs to be reconsidered," said the Financial Rights Legal Centre in a submission to Treasury. "The introduction of the concept of providing non-accredited CDR participants the ability to access [data] against the recommendation of the open banking report provides a significant leakage point for CDR data to fall outside of the system."

The ACCC also said it supported developing lower tiers of accreditation and was seeking views on creating an "intermediary model". This would create lower levels of accreditation for fintechs that do not actually collect data from banks, which would allow them to still get insights from it after it was collected via an intermediary.

Big tech can play

ACCC has left the door open for big global technology players to enter the financial services sector by getting accreditation to access bank data without having to contribute their own customer data into the regime.

"Reciprocity is not a 'quid pro quo' arrangement between data holders and accredited data recipients," the ACCC said. "The CDR regime is consumer focused, and any approach to reciprocity would need to be based on a consumer directing and consenting to an accredited data recipient sharing their data."

The rules framework also deals with the issue of consent. The ACCC said it would "make rules to the effect that an accredited data recipient must obtain a consumer's consent to both collecting, and using, specified data for specified purposes and for a specified time".

On-boarding experience

One of the most controversial issues still to be determined will be whether a bank customer can initiate a data share from inside a fintech's site, or whether they have to be redirected back to the bank's environment – which banks want but which fintechs suggest will limit take-up. The ACCC said the ''Data Standards Body", which is being chaired by former IBM executive Andrew Stevens through Data61, will determine the model for authorisation; a decision is expected to be made in the coming months.

The ACCC said it would also consider creating a right for consumers to request data that has been shared to be deleted, and would restrict it being on-sold.

It also said it would create rules that gave effect to enhanced "privacy safeguards" included in the bill, and it wanted to go beyond the open banking review's recommendations on identity authentication.

The ACCC is planning tougher standards in line with Europe's PSD2 regime, including multi-factor authentication in order to ensure the "regime is trusted and secure".

The Financial Rights Legal Centre has told Treasury its legislation failed to address several concerns about the open banking regime, including its potential to increase complexity of choice, increase economic inequality, and attract predatory marketing and other unconscionable practices.

No fees

The ACCC said it would not allow banks to change a fee for providing account data, and while former customers will not be included in the initial phase, it "considers it desirable that former customers are brought within scope as soon as possible". Such a move would increase costs for banks, which will have to work out how to confirm the identity of former customers.

Banks will also have to invest to make changes to their online banking portals to include a new "dashboard" to allow customers to see all their data authorisations.

The ACCC said it would require all data transfers to occur through "application programming interfaces" (APIs). The banks are currently investing millions of dollars in new in API software and, given the breadth of banking data that will need to be accessed, it is expected multiple APIs will need to be developed.

The ACCC said many of the issues around open banking were "multi-faceted and complex" and would require further consideration before it arrived at a final position.

While open banking, introduced by Prime Minister Scott Morrison to boost banking competition, has largely flown under the radar given the banking royal commission, the major banks recognise its disruptive potential. The government's aggressive timelines for implementation - it wants the regime turned on mid-way through next year - will require new investment to prepare IT systems and policies.